<?php
$myAcl = new Zend_Acl();

/**
 * Application Roles
 * 
 * guest: a user who has not logged in yet
 * customer: these are the clients. They have access read/write to all their own information
 * customer-readonly: these are clients sub-users who can only read their info
 * admin: this is the super user. this person can read/write any account
 * 
 * @todo Extensions will need to have the ability to add resources and grant roles permission
 * to their resources. I am not sure yet if extensions should be able to create roles or not.
 */

$myAcl->addRole(new Zend_Acl_Role('guest')) // guest access
	->addRole(new Zend_Acl_Role('customer'), 'guest') // customer inherits guest
	->addRole(new Zend_Acl_Role('admin'), 'customer'); // admin inherits customer

/**
 * Resources
 *
 * These are the things that a user might need access to
 */
require_once 'Zend/Acl/Resource.php';
$myAcl->add(new Zend_Acl_Resource('admin:index'))
	  ->add(new Zend_Acl_Resource('admin:auth'))
	  ->add(new Zend_Acl_Resource('admin:category'))
      ->add(new Zend_Acl_Resource('admin:product'))
      ->add(new Zend_Acl_Resource('admin:customer'))
	  ->add(new Zend_Acl_Resource('auth'))
      ->add(new Zend_Acl_Resource('user'))
      ->add(new Zend_Acl_Resource('tests'))
      ->add(new Zend_Acl_Resource('error'))
      ->add(new Zend_Acl_Resource('index'))
      ->add(new Zend_Acl_Resource('product'));

/**
 * Permissions
 *
 * These are the individual fine-grained permissions that say whether a "role" has access to a "resource" or not
 * There are some permissions that can't be decided until the user has actually gone to the controller/action in question.
 * For instance, customers need to have "edit" access to the "customers" resource, but only if it is their own account. To solve
 * this problem, the application makes use of an "action helper" inside of the controller/action that will reject the user if they don't have access.
 */
$myAcl->allow('guest', 'auth') // anybody can view the auth pages
      ->allow('guest', 'error') // anybody can view error pages
      ->allow('guest', 'tests') // anybody can view tests pages (?)
      ->allow('guest', 'index', array('index')) // anybody can view the index page
      ->allow('guest', 'user', array('register'))
	  ->allow('guest', 'product')
	  // admin functions
	  ->allow('admin', 'admin:index')
	  ->allow('admin', 'admin:auth')
	  ->allow('admin', 'admin:category')
	  ->allow('admin', 'admin:customer')
	  ->allow('admin', 'admin:product');